Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Wordfence Intelligence   >   Vulnerability Database   >   WordPress Plugins   >   Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Information

Software Type Plugin
Software Slug forminator (view on wordpress.org)
Software Status Active
Software Author wpmudev
Software Website wpmudev.com
Software Downloads 18,762,594
Software Active Installs 600,000
Software Record Last Updated June 18, 2026

Showing 1-20 of 41 Vulnerabilities

Submit a Vulnerability
Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook
6.5
CVE-2026-6214
May 6, 2026
Researcher: anhcd05
Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter
5.3
CVE-2026-6222
May 6, 2026
Researcher: anhcd05
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.52.1 - Unauthenticated Arbitrary File Read via 'upload-1[file][file_path]'
7.5
CVE-2026-5192
May 4, 2026
Researcher: daroo
Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter
5.3
CVE-2026-2729
May 4, 2026
Researcher: Kittipat Jitphonchana
Forminator <= 1.50.2 - Missing Authorization
5.3
CVE-2026-32409
Feb 22, 2026
Researcher: Nguyen Tien Dung
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
4.4
CVE-2026-2002
Feb 16, 2026
Researcher: Tiến Dũng Nguyễn
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export
5.3
CVE-2025-14782
Jan 8, 2026
Researcher: type5afe
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 - Authenticated (Administrator+) SQL Injection via `order_by` Parameter
4.9
CVE-2025-7638
Jul 17, 2025
Researcher: Chive
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion
7.5
CVE-2025-6464
Jul 1, 2025
Researcher: Phat RiO
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion
8.8
CVE-2025-6463
Jul 1, 2025
Researcher: Phat RiO
Forminator <= 1.44.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters
6.4
CVE-2025-5341
Jun 4, 2025
Researcher: Asaf Mozes
Forminator <= 1.42.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'limit'
6.4
CVE-2025-3487
Apr 16, 2025
Researcher: Asaf Mozes
Forminator <= 1.42.0 - Order Replay Vulnerability
5.3
CVE-2025-3479
Apr 16, 2025
Researcher: Asaf Mozes
Forminator <= 1.39.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2025-0469
Feb 26, 2025
Researcher: Asaf Mozes
Forminator <= 1.38.2 - Reflected Cross-Site Scripting via Title Parameter
6.1
CVE-2025-0470
Jan 30, 2025
Researcher: Asaf Mozes
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.38.2 - Authenticated (Admin+) Stored Cross-Site Scripting
4.4
CVE-2024-7052
Jan 24, 2025
Researcher: Dmitrii Ignatyev
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation
5.3
CVE-2024-9700
Oct 30, 2024
Researcher: Vijaysimha Reddy (vijaysimha)
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Missing Authorization to Authenticated (Contributor+) Form Update and Creation
7.5
CVE-2024-10402
Oct 25, 2024
Researcher: wesley (wcraft)
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Quiz Creation
4.3
CVE-2024-9351
Oct 16, 2024
Researcher: Vijaysimha Reddy (vijaysimha)
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Custom Form Creation
4.3
CVE-2024-9352
Oct 16, 2024
Researcher: Vijaysimha Reddy (vijaysimha)
Title Status CVE ID CVSS Researchers Date
Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook Patched CVE-2026-6214 6.5 anhcd05 May 6, 2026
Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter Patched CVE-2026-6222 5.3 anhcd05 May 6, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.52.1 - Unauthenticated Arbitrary File Read via 'upload-1[file][file_path]' Patched CVE-2026-5192 7.5 daroo May 4, 2026
Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter Patched CVE-2026-2729 5.3 Kittipat Jitphonchana May 4, 2026
Forminator <= 1.50.2 - Missing Authorization Patched CVE-2026-32409 5.3 Nguyen Tien Dung February 22, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting Patched CVE-2026-2002 4.4 Tiến Dũng Nguyễn February 16, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export Patched CVE-2025-14782 5.3 type5afe January 8, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 - Authenticated (Administrator+) SQL Injection via `order_by` Parameter Patched CVE-2025-7638 4.9 Chive July 17, 2025
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion Patched CVE-2025-6464 7.5 Phat RiO July 1, 2025
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion Patched CVE-2025-6463 8.8 Phat RiO July 1, 2025
Forminator <= 1.44.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters Patched CVE-2025-5341 6.4 Asaf Mozes June 4, 2025
Forminator <= 1.42.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'limit' Patched CVE-2025-3487 6.4 Asaf Mozes April 16, 2025
Forminator <= 1.42.0 - Order Replay Vulnerability Patched CVE-2025-3479 5.3 Asaf Mozes April 16, 2025
Forminator <= 1.39.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Patched CVE-2025-0469 6.4 Asaf Mozes February 26, 2025
Forminator <= 1.38.2 - Reflected Cross-Site Scripting via Title Parameter Patched CVE-2025-0470 6.1 Asaf Mozes January 30, 2025
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.38.2 - Authenticated (Admin+) Stored Cross-Site Scripting Patched CVE-2024-7052 4.4 Dmitrii Ignatyev January 24, 2025
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation Patched CVE-2024-9700 5.3 Vijaysimha Reddy (vijaysimha) October 30, 2024
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Missing Authorization to Authenticated (Contributor+) Form Update and Creation Patched CVE-2024-10402 7.5 wesley (wcraft) October 25, 2024
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Quiz Creation Patched CVE-2024-9351 4.3 Vijaysimha Reddy (vijaysimha) October 16, 2024
Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Custom Form Creation Patched CVE-2024-9352 4.3 Vijaysimha Reddy (vijaysimha) October 16, 2024

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation